cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4563
Views
0
Helpful
8
Replies

Restrict Outbound Port 25 to one IP only

conrad2467
Level 1
Level 1

Hi,

I want to restrict outgoing smtp traffic to our mail server only.

Mail server: 192.168.1.13

Router: Cisco 857W

I have implemented the following access-list but other pc's can still telnet to mail servers via port 25. Where have i gone wrong?

RouterID#show access-list
Extended IP access list 100
    10 permit tcp host 192.168.1.13 any eq smtp
    20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp log
    30 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list NAT
    10 permit ip any any

RouterID#

Thanks

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Conrad,

With this configuration you should be able to access SMTP servers just from 192.168.1.13, if you

do a show access-list 100, how many hits do you see on line 2???

Can we see the access-group??

I will be waiting your answer,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I get the following if i do a show access-list 100. Im not sure what you mean by "how many hits..."

Extended IP access list 100
    10 permit tcp host 192.168.1.13 any eq smtp
    20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp log
    30 permit ip 192.168.1.0 0.0.0.255 any

Hi,

you should do this:

access-list 100 permit tcp any host 192.168.1.13 eq smtp

access-list 100 deny tcp any any eq smtp

access-list 100 permit ip any 192.168.1.0 0.0.0.255

then apply this ACL inbound on the inside interface

Note: sh access-list will give inparentheses the number of packets that matched this ACL, these are hits but you've got none here because your ACL is incorrect and maybe not applied in the good direction on the interface.

Regards.

Alain.

Don't forget to rate helpful posts.

Alain,

I have created the ACL as per your instruction. I have then applied the ACL to the BVI1 interface as follows.

RouterID(config)#interface BVI1
RouterID(config-if)#ip access-group 100 in

The instance i apply this acl, I lose connection to internet completely. Any ideas why this could be the case?

Thanks

Hi,

yep sorry then in this case do this:

ip access-list 100

no 30

30 permit ip any any

I'm sorry I didn't know to what interface you were going to bind it 

Regards.

Alain.

Don't forget to rate helpful posts.

iazazkhan
Level 1
Level 1

Instead of this access-list 100 permit ip any 192.168.1.0 0.0.0.255 use this

access-list 100 permit ip 192.168.1.0 0.0.0.255 any apart from that the solution provided by the guy is ok

Sent from Cisco Technical Support iPhone App

Everybody is in this discussion is partially correct. The final access-list which works is

access-list 100 permit tcp host 192.168.1.13 any eq smtp

access-list 100 deny tcp any any eq smtp

access-list 100 permit ip any any

then on the BVI1 interface

ip access-group 100 in

So Cadet Alain, your first line needed to have the any part after the IP. Otherwise nothing could sent out tcp traffic via smtp. Iazaz and Cadet, both your suggestions work fine for the third line.


Thanks everybody for their help. Glad to have knocked this one on the head. Can breath a bit easier about the possibility of being blacklisted again.

Hi Conrad,

I want to restrict outgoing smtp traffic to our mail server only.

You're right I had not well read your need, I thought it was only permitting  incoming smtp traffic to this host BUT it was outgoing you needed so my ACL was not correct indeed

Happy you solved it though.

Regards.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card